TikTok has been fined €530 million (approximately $600 million) by the European Union for unlawfully transferring European user data to China and failing to ensure adequate protections against potential access by Chinese authorities. The fine, issued by Ireland’s Data Protection Commission (DPC), is the second-largest ever imposed under the EU’s General Data Protection Regulation (GDPR).
The DPC’s investigation revealed that between 2020 and 2022, TikTok did not sufficiently inform users about the transfer of their data to China or the possibility of access by Chinese authorities. Although TikTok initially denied storing European user data in China, it later acknowledged that some data had been stored there, contradicting its earlier statements. The DPC criticized TikTok for not verifying or demonstrating that the data accessed by employees in China was protected to EU standards, especially considering Chinese laws that could compel data sharing with authorities.
In response, TikTok stated that it has never provided European user data to the Chinese government and has not received such requests. The company plans to appeal the decision and highlighted its “Project Clover” initiative, launched in 2023, aimed at enhancing data security through the establishment of data centers in Europe and independent access monitoring.
The ruling also mandates that TikTok must bring its data processing activities into compliance within six months or face a suspension of data transfers to China. This development adds to the growing scrutiny of TikTok’s data practices, particularly concerning its Chinese ownership and the potential implications for user privacy.